[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] UX improvement proposal: Onion auto-redirects using Alt-Svc HTTP header



Hi,

On 13/07/18 16:24, Tom Ritter wrote:
> Ah, that makes sense. You want /foo.html to serve an Onion-Location
> that goes to /foo.html

Exactly! But I might also want that /foo/bar.html goes to /bar.html on
the onion service while /baz/bar.html goes to /bar.html on another onion
service. Otherwise I don't think we can claim that the Onion-Location
header is similar to the Location header.

> But you're saying you did this manually for each file?  I guess I
> hadn't thought about how I would implement this (for Apache)... http
> -> https redirection is done with mod_write, typically something like

My personal website is currently hosted by Netlify. They allow you to
provide a file that is used to send custom headers on a per-URL basis.

https://www.netlify.com/docs/headers-and-basic-auth/

I've attached the script I'm using for this. It's a manual step in that
I have to run the script. I could probably automate it if I learnt a
little more Hugo.

> I don't mess with Apache/mod_rewrite much, but surely there's a way to
> write out the Onion-Location header with the supplied path/querystring
> automatically?

I would imagine there are ways to configure this, but I don't know what
they are.

> I agree that if a Location header is present, the browser should
> follow it immediately. If the subsequent location has an
> Onion-Location header (and no Location header) then the browser should
> prompt.

This sounds reasonable.

> Location is a non-prompt, non-negotiable redirect.
> Onion-Location is a prompted, user-chosen redirect.
> 
> The only question in my mind is if the user has opted in to always
> following Onion-Location redirects, then the question is: which header
> do you follow? And I would suggest Onion-Location although I don't
> have a strong argument for that choice besides "It's our feature, we
> should give it precedence."

I think in this case, I would prefer to follow the Onion-Location header
first, as the user has chosen to make the usability trade-off for
security by enabling the automatic redirects.

Would it be worthwhile for me to write some text to this effect as a
patch for the proposal document?

Thanks,
Iain.
#!/usr/bin/zsh

hugo

find public | \
	grep index.html | \
	sed 's/^public//' | \
	sed 's/index.html$//' | \
	awk '{ print $0 "\n  Onion-Location: http://tvin5bvfwew3ldttg5t6ynlif4t53y3mbmb7sgbyud7h5q6gblrpsnyd.onion"; $0 }' \
	> static/_headers

# Limited compatibility with Healthy Onions add-on
sed -i 's,^  Onion-Location: http://tvin5bvfwew3ldttg5t6ynlif4t53y3mbmb7sgbyud7h5q6gblrpsnyd.onion/$,  Onion-Location: http://tvin5bvfwew3ldttg5t6ynlif4t53y3mbmb7sgbyud7h5q6gblrpsnyd.onion,' static/_headers

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev